Kubernetes CKS【10】---Cluster Hardening - Restrict API Access

简介: Kubernetes CKS【10】---Cluster Hardening - Restrict API Access

文章目录

1. 介绍

2. Practice - Anonymous Access

3. Practice - Insecure Access

4. Practice - Manual API Request

5. Practice - External Apiserver Access

6. NodeRestriction AdmissionController

7. Practice - Verify NodeRestriction

1. 介绍

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

2. Practice - Anonymous Access

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

root@master:~/cks/serviceaccount# curl https://localhost:6443
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@master:~/cks/serviceaccount# curl https://localhost:6443 -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  },
  "code": 403
}root@master:~/cks/serviceaccount# vim /etc/kubernetes/manifests/kube-apiserver.yaml 
...
    - kube-apiserver
    - --anonymous-auth=false
    - --advertise-address=192.168.211.40
....
root@master:~/cks/serviceaccount# k get pods | grep api
The connection to the server 192.168.211.40:6443 was refused - did you specify the right host or port?
root@master:~/images# k get pods -n kube-system | grep api
kube-apiserver-master                      1/1     Running   0          8m3s
root@master:~/images# k get pods -n kube-system | grep api
kube-apiserver-master                      1/1     Running   0          3s

1035234-20181020215539574-213176954.png

root@master:~/cks/serviceaccount# vim /etc/kubernetes/manifests/kube-apiserver.yaml 
...
    - kube-apiserver
    - --anonymous-auth=true #默认其实为true
    - --advertise-address=192.168.211.40
....
root@master:~/cks/serviceaccount# curl https://localhost:6443 -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  },
  "code": 403
}

3. Practice - Insecure Access

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

root@master:~/cks/serviceaccount# curl https://localhost:6443 -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  },
  "code": 403
}
root@master:~# vim /etc/kubernetes/manifests/kube-apiserver.yaml
...
    - kube-apiserver
    - --advertise-address=192.168.211.40
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=8080  #0改成8080
  .....
root@master:~/cks/serviceaccount# k get pods | grep api
The connection to the server 192.168.211.40:6443 was refused - did you specify the right host or port?
root@master:~/images# k get pods -n kube-system | grep api
kube-apiserver-master                      1/1     Running   0          3s
root@master:~# curl http://localhost:8080

4. Practice - Manual API Request

1035234-20181020215539574-213176954.png

5. Practice - External Apiserver Access

1035234-20181020215539574-213176954.png

root@master:/etc/kubernetes/pki# k edit svc
....
  type: NodePort
....
root@master:/etc/kubernetes/pki# k get svc
NAME         TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE
kubernetes   NodePort   10.96.0.1    <none>        443:30300/TCP   19h
root@master:/etc/kubernetes/pki# curl https://192.168.211.40:30300 -l
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@master:/etc/kubernetes/pki# curl https://192.168.211.40:30300 -k
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
  },
  "code": 403
}
root@master:~/cks/apiserver# k config view --raw >config
root@master:~/cks/apiserver# k --kubeconfig config get ns
NAME              STATUS   AGE
default           Active   19h
kube-node-lease   Active   19h
kube-public       Active   19h
kube-system       Active   19h
root@master:~/cks/apiserver# vim config
.....
   server: https://192.168.211.40:30300  #6443改为30300
.... 
root@master:~/cks/apiserver# k --kubeconfig config get ns
NAME              STATUS   AGE
default           Active   19h
kube-node-lease   Active   19h
kube-public       Active   19h
kube-system       Active   19h

6. NodeRestriction AdmissionController

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

7. Practice - Verify NodeRestriction

1035234-20181020215539574-213176954.png

root@master:~/cks/apiserver# vim /etc/kubernetes/manifests/kube-apiserver.yaml 
....
- --enable-admission-plugins=NodeRestriction
...
root@master:~/cks/apiserver# k get ns
Error from server (Forbidden): namespaces is forbidden: User "system:node:master" cannot list resource "namespaces" in API group "" at the cluster scope
root@master:~/cks/apiserver# export KUBECONFIG=/etc/kubernetes/kubelet.conf.
root@master:~/cks/apiserver# k label node master cks/test=yes
node/master labeled
root@master:~/cks/apiserver# k label node node1 cks/test=yes
Error from server (Forbidden): nodes "node1" is forbidden: node "master" is not allowed to modify node "node1"



相关实践学习
深入解析Docker容器化技术
Docker是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的Linux机器上,也可以实现虚拟化,容器是完全使用沙箱机制,相互之间不会有任何接口。Docker是世界领先的软件容器平台。开发人员利用Docker可以消除协作编码时“在我的机器上可正常工作”的问题。运维人员利用Docker可以在隔离容器中并行运行和管理应用,获得更好的计算密度。企业利用Docker可以构建敏捷的软件交付管道,以更快的速度、更高的安全性和可靠的信誉为Linux和Windows Server应用发布新功能。 在本套课程中,我们将全面的讲解Docker技术栈,从环境安装到容器、镜像操作以及生产环境如何部署开发的微服务应用。本课程由黑马程序员提供。 &nbsp; &nbsp; 相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
相关文章
|
7月前
|
Kubernetes API 网络安全
当node节点kubectl 命令无法连接到 Kubernetes API 服务器
当Node节点上的 `kubectl`无法连接到Kubernetes API服务器时,可以通过以上步骤逐步排查和解决问题。首先确保网络连接正常,验证 `kubeconfig`文件配置正确,检查API服务器和Node节点的状态,最后排除防火墙或网络策略的干扰,并通过重启服务恢复正常连接。通过这些措施,可以有效解决与Kubernetes API服务器通信的常见问题,从而保障集群的正常运行。
437 17
|
JSON API 开发工具
【Azure 应用服务】调用Azure REST API来获取 App Service的访问限制信息(Access Restrictions)以及修改
【Azure 应用服务】调用Azure REST API来获取 App Service的访问限制信息(Access Restrictions)以及修改
121 1
|
Prometheus Kubernetes Cloud Native
云原生周刊:Argo Rollouts 支持 Kubernetes Gateway API 1.0 | 2024.7.1
探索开源世界:Kubetools的推荐系统[Krs](https://github.com/kubetoolsca/krs)助力K8s优化,追踪K8s组件清单,指引IAC集成。阅读建议: Prometheus与Thanos的进化故事,Adidas容器平台管理经验,K8s请求实现详解。关注云原生:Argo Rollouts支持Gateway API 1.0,Kubewarden v1.14强化策略与镜像安全。
171 0
|
11月前
|
监控 API 索引
Elasticsearch集群使用 _cluster/health API
Elasticsearch集群使用 _cluster/health API
374 2
|
12月前
|
Kubernetes 安全 Cloud Native
云上攻防-云原生篇&K8s安全-Kubelet未授权访问、API Server未授权访问
本文介绍了云原生环境下Kubernetes集群的安全问题及攻击方法。首先概述了云环境下的新型攻击路径,如通过虚拟机攻击云管理平台、容器逃逸控制宿主机等。接着详细解释了Kubernetes集群架构,并列举了常见组件的默认端口及其安全隐患。文章通过具体案例演示了API Server 8080和6443端口未授权访问的攻击过程,以及Kubelet 10250端口未授权访问的利用方法,展示了如何通过这些漏洞实现权限提升和横向渗透。
941 0
云上攻防-云原生篇&K8s安全-Kubelet未授权访问、API Server未授权访问
|
Kubernetes Serverless API
Kubernetes 的架构问题之利用不可变性来最小化对API Server的访问如何解决
Kubernetes 的架构问题之利用不可变性来最小化对API Server的访问如何解决
150 8
|
资源调度 Kubernetes API
在K8S中,能否实现不通过api-Server创建Pod?
在K8S中,能否实现不通过api-Server创建Pod?
|
Kubernetes 负载均衡 API
在K8S中,api-service 和 kube-schedule 高可用原理是什么?
在K8S中,api-service 和 kube-schedule 高可用原理是什么?
|
Kubernetes 监控 API
在k8S中,各模块如何与API Server进行通信的?
在k8S中,各模块如何与API Server进行通信的?
|
存储 Kubernetes 负载均衡
在K8S中,api-server究竟是如何实现高可用?
在K8S中,api-server究竟是如何实现高可用?

热门文章

最新文章

推荐镜像

更多